C960657

Name of the Vulnerable Software and Affected Versions: Symfony versions 2.7.x through 2.7.32 Symfony versions 2.8.x through 2.8.25 Symfony versions 3.x through 3.2.12 Symfony versions 3.3.x through 3.3.5 Description: The issue concerns a problem with the debug handler in Symfony, where there is a potential for XSS via an array key during exception pretty printing in ExceptionHandler.php. This can be demonstrated by a "/ debugbar/open?op=get" URI. The vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. The Symfony Debug component is also used by Laravel Debugbar. Recommendations: For Symfony versions 2.7.x through 2.7.32, update to version 2.7.33 or later. For Symfony versions 2.8.x through 2.8.25, update to version 2.8.26 or later. For Symfony versions 3.x through 3.2.12, update to version 3.2.13 or later. For Symfony versions 3.3.x through 3.3.5, update to version 3.3.6 or later. As a temporary workaround, consider disabling the debug tools in production environments to minimize the risk of exploitation.